1 Discussion of “The Importance of the COBIT Framework IT Processes For Effective Internal Control over the Reliability of Financial Reporting: An International Survey” by David S. Kerr and Uday S. Murthy By Brad Tuttle Moore School of Business University of South Carolina Presented to UWCISA Toronto, CA October 12, 2007

2 I like this study because Potential to influence practice Potential to aid in developing theory of internal control in IT setting

3 Motivation Present state of knowledge: IC is ill-defined Unclear how IT affects IC COBIT should help get us started Research Questions: Which IT processes are important to internal control in a financial audit context? What affects consensus?

4 Method Participants: 189 members of ISACA respond to survey –Drawn from 21 different countries Familiarity with COBIT is less important than –Familiarity with IT processes (see Table 1) –Familiarity with financial statement audits

5 Suggestion International Participants: Countries with Investor focus (n=138) –Australia26 –Canada 3 –USA95 –S. Africa?14 Countries with non-investor focus (n=51)

6 Method On-line survey asks participants to –Rate 34 COBIT processes for their “…perception of the importance of each IT process to achieving effective internal control over the reliability of financial reporting…” –Indicate which 10 processes are most important … –Implementation measures (problematic, not reported)

7 Research Question 1 In the context of the reliability of financial reporting, what is the relative importance of each of the 34 IT control and security processes?

8 Table 1a COBIT Processes Sorted by Mean Importance Ratings COBIT Version 3 ProcessDescription of process Ranked by KW Import. Rating Ranked by TV Risk Rating DS5Ensure System Security12 AI6Manage Changes21 PO9Assess Risk34 DS11Manage Data46 M2Assess Internal Control Adequacy55 PO8Ensure Compliance with External Requirements63 DS10Manage Problems and Incidents78 AI4Develop and Maintain Procedures811 M1Monitor the Process912 PO11Manage Quality10

9 John Rady Ernst & Young LLP 404 IT: Changes to Compliance and Cutting Cost$ (Webcast 2005) M2 AI6 AI4 DS5 M1 ? ? ? ? ?

10 Tuttle and Vandervelde (2007) Question posed to IT auditors (n=29): “consider the risk to the typical organization associated with an unsatisfactory outcome in each of the following CobiT processes.” Rank correlation = with KM importance ratings

11 Table 1a COBIT Processes Sorted by Mean Importance Ratings COBIT Version 3 ProcessDescription of process Ranked by KM Import. Rating Ranked by TV Risk Rating DS5Ensure System Security12 AI6Manage Changes21 PO9Assess Risk34 DS11Manage Data46 M2Assess Internal Control Adequacy55 PO8Ensure Compliance with External Requirements63 DS10Manage Problems and Incidents78 AI4Develop and Maintain Procedures811 M1Monitor the Process912 PO11Manage Quality10

12 COBIT Version 3 ProcessDescription of process Ranked by KM Import. Rating Ranked by TV Risk Rating DS4Ensure Continuous Service1117 M4Provide for Independent Audit1220 DS7Educate and Train Users13 PO10Manage Projects1422 M3Obtain Independent Assurance1516 DS9Manage the Configuration1614 PO2Define the Information Architecture1729 DS13Manage Operations18 PO1Define a strategic IT plan199 AI5Install and Accredit Systems207 Table 1a COBIT Processes Sorted by Mean Importance Ratings

13

14

15 Table 2 CobiT v.4 Importance Ratings For the Ten Most Important IT Processes per Kerr and Murthy CobiT ProcessDescriptsion Mean KM Importance Rating CobiT Importance DS5Ensure System Security4.661High AI6Manage Changes4.487High PO9Assess Risk4.413Medim DS11Manage Data4.333High M2Assess Internal Control Adequacy4.328Medium PO8Ensure Compliance with External Requirements (version 4=ME 3) 4.222High DS10Manage Problems and Incidents4.101Medium AI4Develop and Maintain Procedures4.085Low M1Monitor the Process4.079High PO11Manage Quality (version 4=PO8)4.074Medium

16 Table 2 CobiT v.4 Importance Ratings For the Ten Most Important IT Processes per Kerr and Murthy Importance LevelCount Mean Importance Ranking High Medium Low14.085

17

18 COSO and COBIT Analysis Dependent Variable: KM importance ratings Independent Variables (coded P=1): Control Evaluation Risk Assessment Control Activities Information and Communication Monitoring

19 Research Question 2 In the context of the reliability of financial reporting, to what extent does the relative importance of each of the 34 IT control and security processes vary as a function of characteristics of the IT professionals within the organization?

20 Better Questions AIS serve multiple informational purposes within organizations: How does importance differ for financial audits compared to IT in general? How do perceptions differ between management, IT personnel, and auditors? Pre versus Post SOX experience?

21 Table 3 Exploratory Factor Analysis of Ten Most Important IT Processes Using Tuttle and Vandervelde 2007 Data CobiT ProcessDescriptionFactor 1Factor 2 Eigenvalue M2Assess Internal Control Adequacy M1Monitor the Process PO9Assess Risk AI4Develop and Maintain Procedures DS10Manage Problems and Incidents DS11Manage Data DS5Ensure System Security AI6Manage Changes PO11Manage Quality (version 4=PO8) PO8Ensure Compliance with External Requirements (version 4=ME 3)

22 Nitpicks CobiT version 4 drops the term “best practices” Some COBIT processes change from version 3 to version 4 Tables 7, 8, and 9 not related to research questions

23 I like this study because Potential to influence practice –What is and isn’t important –What is the relationship between IT and COSO Potential to aid in developing theory of internal control in IT setting –What constitutes IC –COBIT = framework (theory) of IT control